Product SiteDocumentation Site

7.5. Migrating from NIS to FreeIPA

There is no direct migration path from NIS to FreeIPA. This is a manual process with three major steps: setting up netgroup entries in FreeIPA, exporting the existing data from NIS, and importing that data into FreeIPA. There are several options for how to set up the FreeIPA environment and how to export data; the best option depends on the type of data and the overall network environment that you have.

7.5.1. Preparing Netgroup Entries in FreeIPA

The first step is to identify what kinds of identities are being managed by NIS. Frequently, a NIS server is used for either user entries or host entries, but not for both, which can simplify the data migration process.
For user entries
Determine what applications are using the user information in the NIS server. While some clients (like sudo) require NIS netgroups, many clients can use Unix groups instead. If no netgroups are required, then simply create corresponding user accounts in FreeIPA and delete the netgroups entirely. Otherwise, create the user entries in FreeIPA and then create a FreeIPA-managed netgroup and add those users as members. This is described in Section 7.3, “Creating Netgroups”.
For host entries
Whenever a host group is created in FreeIPA, a corresponding shadow NIS group is automatically created. These netgroups can then be managed using the ipa-host-net-manage command.
For a direct conversion
It may be necessary to have an exact conversion, with every NIS user and host having an exact corresponding entry in FreeIPA. In that case, each entry can be created using the original NIS names:
  1. Create an entry for every user referenced in a netgroup.
  2. Create an entry for every host referenced in a netgroup.
  3. Create a netgroup with the same name as the original netgroup.
  4. Add the users and hosts as direct members of the netgroup. Alternatively, put add the users and hosts into FreeIPA groups or other netgroups, and then add those groups as members to the netgroup.

7.5.2. Enabling the NIS Listener in FreeIPA

The FreeIPA Directory Server can function as a limited NIS server. The slapi-nis plug-in sets up a special NIS listener that receives incoming NIS requests and manages the NIS maps within the Directory Server. FreeIPA uses three NIS maps:
  • passwd
  • group
  • netgroup
Using FreeIPA as an intermediate NIS server offers a reasonable way to handle NIS requests while migrating NIS clients and data.
The slapi-nis plug-in is not enabled by default. To enable NIS for FreeIPA:
  1. Obtain new Kerberos credentials as a FreeIPA admin user.
    [root@ipaserver ~]# kinit admin
  2. Enable the NIS listener and compatibility plug-ins:
    [root@ipaserver ~]# ipa-nis-manage enable
    [root@ipaserver ~]# ipa-compat-manage enable
  3. Restart the DNS and Directory Server service:
    [root@server ~]# service restart rpcbind
    [root@server ~]# service restart dirsrv

7.5.3. Setting Weak Password Encryption for NIS User Authentication to FreeIPA

A NIS server can handle CRYPT password hashes. Once an existing NIS server is migrated to FreeIPA (and its underlying LDAP database), it may still be necessary to preserve the NIS-supported CRYPT passwords. However, the LDAP server does not use CRYPT hashes by default. It uses SSHA or SSHA-256. If the 389 Directory Server password hash is not changed, then NIS users cannot authenticate to the FreeIPA domain, and kinit fails with password failures.
To set the underlying 389 Directory Server to use CRYPT as the password hash, change the passwordStorageScheme attribute using ldapmodify:
[root@server ~]# ldapmodify -D "cn=directory server" -w secret -p 389 -h ipaserver.example.com

dn: cn=config
changetype: modify
replace: passwordStorageScheme
passwordStorageScheme: crypt

NOTE

Changing the password storage scheme only applies the scheme to new passwords; it does not retroactively change the encryption method used for existing passwords.
If weak crypto is required for password hashes, it is better to change the setting as early as possible so that more user passwords use the weaker password hash.